Penetration Testing mailing list archives
RE: Moving from Defense to Offense (or vice versa) to secure your network
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Sun, 27 Nov 2005 19:32:45 -0800
<snip>
Conducting routine audits (both scheduled and un-scheduled), forensics management (break-in attempts, viruses, trojans, etc.), policy management (in most cases, this can represent almost as much as 70% of the network securification process -- without a good policy, nothing will have any significance or meaning), and more. Pentesting is just 1-3% of the entire securification process.
You won't find me disagreeing with anything in what you said here Bob. One thing I wanted to mention was how forcing yourself to think outside your normal comfort level can bring some unexpected benefits. I recently sub'd out some pen-test work to someone (due to scheduling conflicts) whose background was all on the defense side of things. A comment he made that really touched off my initiating this discussion was that he was learning a hell of a lot from using some of the standard pen-test tools out there (nessus, nmap etc) in ways that were outside his normal usage. While some tools were new, others (such as nmap) that he had experience with were making him use it in different ways than his norm due to the nature of pen-testing, and opening a new insight into security as a whole as a result. While I completely agree that a complete security model should incorporate facets of audits, policy management, forensics, etc. it never occurred to me that the very nature of pen-testing methodologies would be such an eye opener for a person whose background in security is rather lengthy and accomplished. I'm thinking it would beneficial for any security group to play with pen-testing for a spell just to see what new insights and skill sets they can glean. -Erin Carroll SecurityFocus pen-test list moderator -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.8/184 - Release Date: 11/27/2005 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Moving from Defense to Offense (or vice versa) to secure your network Erin Carroll (Nov 26)
- Re: Moving from Defense to Offense (or vice versa) to secure your network James Eaton-Lee (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Byron Sonne (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Frederic Charpentier (Nov 27)
- Re: Moving from Defense to Offense (or vice versa) to secure your network Bob Radvanovsky (Nov 27)
- RE: Moving from Defense to Offense (or vice versa) to secure your network Erin Carroll (Nov 27)
- <Possible follow-ups>
- RE: Moving from Defense to Offense (or vice versa) to secure your network Evans, Arian (Nov 28)